Hungary: Data protection authority imposes highest post-GDPR fine
The Hungarian National Authority for Data Protection and Freedom of Information (the "Authority" or "NAIH") recently imposed a fine of HUF 100m (approx. EUR 285,000) on one of the biggest electronic communication service providers Digi Távközlési Szolgáltató Kft. ("Digi").
This is the highest data protection fine imposed in Hungary since the entry into force of the GDPR and the highest ever fine levied in Hungary for a violation of data protection regulations.
An ethical hacker discovered a vulnerability affecting Digi's website, based on which it was possible to access a "test database" that contained a significant amount of personal and sensitive data of Digi's subscribers (e.g. name, data and place of birth, email address and password, bank account number, willingness to pay). The ethical hacker informed Digi of this vulnerability and Digi took corrective action and submitted a breach notification to the Authority within 72 hours as prescribed by the GDPR.
In the mandatory investigation following the notification of the breach, the Authority examined all relevant circumstances of the case. Digi stated that the test database was created in connection with the correction of an earlier error that made subscribers' personal data inaccessible (Digi's webserver did not reach the database server). Digi did not encrypt the database because it believed that access restriction and provisioning provided sufficient protection of the personal data concerned. However, it turned out that the ethical hacker was able to access Digi's database and the user data of the system administrators.
The Authority found Digi to be in violation of the principle of purpose limitation by not deleting the test database after the troubleshooting process and the correction of system errors. As soon as Digi solved the problem, the purpose of the data processing was eliminated and the test database should have been deleted. Thereby, Digi also violated the storage limitation.
In addition, the Authority established that the cause of the data breach was the lack of appropriate data security. According to an IT expert, the system vulnerability uncovered by the ethical hacker could have easily been filtered out by an application which scrutinises the vulnerability by automatism, which was available on the market. The lack of encryption not only increased the risk of a data breach, but made a substantial amount of personal and sensitive data accessible to unauthorised persons, which could result in identity theft. The involvement of system administrators' user data further increased the severity of the data breach, making it possible to give access to the administration board of the website.
The case has not only highlighted the importance of IT security and the prevention of unauthorised access to personal data as the core part of data protection, but also showed the importance of implementing systems that apply the principles of the GDPR in practice.